Ddos 
Security researchers at Insikt Group have uncovered a major advancement in the operations of a newly designated threat actor, TAG-150, whose campaigns are rapidly evolving with sophisticated infrastructure and custom malware families.
According to Insikt Group, TAG-150 has been active since at least March 2025, showing a pattern of “rapid development, technical sophistication, responsiveness to public reporting, and a large, evolving infrastructure.” Their toolkit includes the long-observed CastleLoader and CastleBot, but most notably, researchers have now documented the debut of CastleRAT, a new remote access trojan available in both Python and C variants.
The report explains: “CastleRAT’s core functionality consists of collecting system information, downloading and executing additional payloads, and executing commands via CMD and PowerShell.”
What sets TAG-150 apart is its multi-tiered infrastructure model, spanning from victim-facing Tier 1 C2 servers to higher-level Tier 4 backup systems. This layered design offers resilience and operational security.
- Tier 1: Victim-facing servers for CastleLoader, CastleRAT, SectopRAT, and WarmCookie.
- Tier 2: VPS servers acting as intermediaries, with RDP-based access.
- Tier 3: A mix of VPS nodes and a Russian residential IP address, which notably communicates with Tox servers for internal coordination.
- Tier 4: Backup nodes maintaining persistent high-port UDP connections, including one case where a Tier 4 server directly interacted with a CastleLoader panel — an “operational security lapse,” according to the researchers.
Insikt Group observed two distinct versions of CastleRAT:
- Python Variant (aka PyNightshade): A lightweight RAT with stealthy behavior, minimal antivirus detection, and capabilities such as system reconnaissance, PowerShell command execution, and self-deletion. It also leverages Steam Community pages as C2 dead drops, a tactic first seen in late August 2025.
- C Variant: A more advanced build featuring keylogging, screen capture, file uploads, and process termination. Unlike the Python version, it is more detectable but significantly more powerful, even checking for VPN or proxy indicators via the ip-api[.]com service.
The group noted: “CastleRAT is in continual development… with new features such as encapsulating the binary protocol within WebSockets and leveraging Steam Community pages for C2 dead drops.”
One of the most concerning findings is the possible overlap between TAG-150 infrastructure and Play Ransomware operations. Insikt Group identified a WarmCookie C2 server communicating with an IP tied to a known Play Ransomware victim. While no definitive link has been proven, the overlap “increases the likelihood” that TAG-150’s tools may have been used in ransomware campaigns.
Beyond malware, TAG-150 is leveraging file-sharing and anonymization services to stay resilient. These include temp[.]sh, mega[.]nz, simpleswap[.]io, and the anti-detection service Kleenscan (a successor to AVCheck). Researchers also observed use of the Oxen network (Lokinet) for secure messaging.
TAG-150 shows no signs of slowing down. Insikt Group concludes: “TAG-150 will continue to evolve its tooling at a rapid pace, with a particular emphasis on stealth and evasion… [and is] highly likely to develop and release additional malware in the near term.”
Related Posts:
- Crypto as a Weapon: Malicious npm Packages Use Ethereum Smart Contracts for C2
- Threat Actors Exploit GitHub to Spread Malware, Targeting Multiple Operating Systems
- Google AI Studio Changes: Gemini 2.5 Pro No Longer Free
- Operation Zero Offers Millions for Telegram Zero-Click Exploits
- Anthropic Launches Claude Max Subscription with Higher Usage Tiers
Donate